[Midnightbsd-cvs] src [7271] trunk/sys/amd64/amd64: fix a security issue on amd64 where the GS segment CPU register can be changed via userland value in kernel mode by using an IRET with #SS or #NP exceptions.

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Tue Aug 25 17:48:05 EDT 2015 

Revision: 7271
          http://svnweb.midnightbsd.org/src/?rev=7271
Author:   laffer1
Date:     2015-08-25 17:48:04 -0400 (Tue, 25 Aug 2015)
Log Message:
-----------
fix a security issue on amd64 where the GS segment CPU register can be changed via  userland value in kernel mode by using an IRET with #SS or #NP exceptions.

Modified Paths:
--------------
    trunk/sys/amd64/amd64/exception.S
    trunk/sys/amd64/amd64/machdep.c
    trunk/sys/amd64/amd64/trap.c

Modified: trunk/sys/amd64/amd64/exception.S
===================================================================
--- trunk/sys/amd64/amd64/exception.S	2015-08-23 18:57:51 UTC (rev 7270)
+++ trunk/sys/amd64/amd64/exception.S	2015-08-25 21:48:04 UTC (rev 7271)
@@ -150,9 +150,13 @@
 IDTVEC(tss)
 	TRAP_ERR(T_TSSFLT)
 IDTVEC(missing)
-	TRAP_ERR(T_SEGNPFLT)
+	subq	$TF_ERR,%rsp
+	movl	$T_SEGNPFLT,TF_TRAPNO(%rsp)
+	jmp	prot_addrf
 IDTVEC(stk)
-	TRAP_ERR(T_STKFLT)
+	subq	$TF_ERR,%rsp
+	movl	$T_STKFLT,TF_TRAPNO(%rsp)
+	jmp	prot_addrf
 IDTVEC(align)
 	TRAP_ERR(T_ALIGNFLT)
 
@@ -315,6 +319,7 @@
 IDTVEC(prot)
 	subq	$TF_ERR,%rsp
 	movl	$T_PROTFLT,TF_TRAPNO(%rsp)
+prot_addrf:
 	movq	$0,TF_ADDR(%rsp)
 	movq	%rdi,TF_RDI(%rsp)	/* free up a GP register */
 	leaq	doreti_iret(%rip),%rdi

Modified: trunk/sys/amd64/amd64/machdep.c
===================================================================
--- trunk/sys/amd64/amd64/machdep.c	2015-08-23 18:57:51 UTC (rev 7270)
+++ trunk/sys/amd64/amd64/machdep.c	2015-08-25 21:48:04 UTC (rev 7271)
@@ -425,6 +425,7 @@
 	regs->tf_rflags &= ~(PSL_T | PSL_D);
 	regs->tf_cs = _ucodesel;
 	regs->tf_ds = _udatasel;
+	regs->tf_ss = _udatasel;
 	regs->tf_es = _udatasel;
 	regs->tf_fs = _ufssel;
 	regs->tf_gs = _ugssel;

Modified: trunk/sys/amd64/amd64/trap.c
===================================================================
--- trunk/sys/amd64/amd64/trap.c	2015-08-23 18:57:51 UTC (rev 7270)
+++ trunk/sys/amd64/amd64/trap.c	2015-08-25 21:48:04 UTC (rev 7271)
@@ -473,8 +473,6 @@
 			goto out;
 
 		case T_STKFLT:		/* stack fault */
-			break;
-
 		case T_PROTFLT:		/* general protection fault */
 		case T_SEGNPFLT:	/* segment not present fault */
 			if (td->td_intr_nesting_level != 0)

More information about the Midnightbsd-cvs mailing list